You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
consul/connect/proxy/proxy_test.go

132 lines
3.5 KiB

// Copyright (c) HashiCorp, Inc.
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
1 year ago
// SPDX-License-Identifier: BUSL-1.1
package proxy
import (
"context"
"crypto/tls"
"net"
"path/filepath"
"runtime"
"strconv"
"testing"
"time"
"github.com/stretchr/testify/require"
"github.com/hashicorp/consul/agent"
agConnect "github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/connect"
"github.com/hashicorp/consul/sdk/freeport"
"github.com/hashicorp/consul/sdk/testutil"
"github.com/hashicorp/consul/sdk/testutil/retry"
"github.com/hashicorp/consul/testrpc"
)
func TestProxy_public(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
}
ports := freeport.GetN(t, 2)
a := agent.NewTestAgent(t, "")
defer a.Shutdown()
testrpc.WaitForTestAgent(t, a.RPC, "dc1")
client := a.Client()
// Register the service so we can get a leaf cert
_, err := client.Catalog().Register(&api.CatalogRegistration{
Datacenter: "dc1",
Node: "local",
Address: "127.0.0.1",
Service: &api.AgentService{
Service: "echo",
},
}, nil)
require.NoError(t, err)
// Start the backend service that is being proxied
testApp := NewTestTCPServer(t)
defer testApp.Close()
upstreams := []UpstreamConfig{
{
DestinationName: "just-a-port",
LocalBindPort: ports[1],
},
}
var unixSocket string
if runtime.GOOS != "windows" {
tempDir := testutil.TempDir(t, "consul")
unixSocket = filepath.Join(tempDir, "test.sock")
upstreams = append(upstreams, UpstreamConfig{
DestinationName: "just-a-unix-domain-socket",
LocalBindSocketPath: unixSocket,
LocalBindSocketMode: "0600",
})
}
// Start the proxy
p, err := New(client, NewStaticConfigWatcher(&Config{
ProxiedServiceName: "echo",
PublicListener: PublicListenerConfig{
BindAddress: "127.0.0.1",
BindPort: ports[0],
LocalServiceAddress: testApp.Addr().String(),
},
Upstreams: upstreams,
}), testutil.Logger(t))
require.NoError(t, err)
defer p.Close()
go p.Serve()
// We create this client with an explicit ServerNextProtos here which will use `h2`
// if the proxy supports it. This is so we can verify below that the proxy _doesn't_
// advertise `h2` support as it's only a L4 proxy.
svc, err := connect.NewServiceWithConfig("echo", connect.Config{Client: client, ServerNextProtos: []string{"h2"}})
require.NoError(t, err)
// Create a test connection to the proxy. We retry here a few times
// since this is dependent on the agent actually starting up and setting
// up the CA.
var conn net.Conn
retry.Run(t, func(r *retry.R) {
conn, err = svc.Dial(context.Background(), &connect.StaticResolver{
Addr: TestLocalAddr(ports[0]),
CertURI: agConnect.TestSpiffeIDService(r, "echo"),
})
if err != nil {
r.Fatalf("err: %s", err)
}
})
// Verify that we did not select h2 via ALPN since the proxy is layer 4 only
tlsConn := conn.(*tls.Conn)
require.Equal(t, "", tlsConn.ConnectionState().NegotiatedProtocol)
// Connection works, test it is the right one
TestEchoConn(t, conn, "")
t.Run("verify port upstream is configured", func(t *testing.T) {
// Verify that it is listening by doing a simple TCP dial.
addr := net.JoinHostPort("127.0.0.1", strconv.Itoa(ports[1]))
conn, err := net.DialTimeout("tcp", addr, 100*time.Millisecond)
require.NoError(t, err)
_ = conn.Close()
})
t.Run("verify unix domain socket upstream will never work", func(t *testing.T) {
if runtime.GOOS == "windows" {
t.SkipNow()
}
// Ensure the socket was not created
require.NoFileExists(t, unixSocket)
})
}